Friday, July 21, 2017

Package Management is now almost ubiquitous in modern software development circles due to the layers upon layers of dependencies between software components which are pulled together to achieve an end result.

This is especially true in the open source world where the very nature of community and crowd source development encourages re-use of code at every opportunity.

From a licensing standpoint, this code combination and inheritance phenomenon has the potential to introduce wrinkles when investigating the provenance and or applicable licensing for a particular component.

Two of the most common package repositories for open source components are:

The Maven Repository containing almost 7 million artifacts as of the date of this post

The NuGet Gallery currently hosting about 1 million artifacts concentrated on the Microsoft development platform.

I was recently researching the licensing for a component automatically included in a project when a developer using the Microsoft Visual Studio IDE was working on a web based application. In effect, this "package" was pulled into the developer's work without their direct knowledge or choice from the NuGet Gallery repository. Apparently it was necessary for some foundational functionality related to processing java script.

Upon investigation, I discovered the original component was released by the copyright holder under an MIT license, but had apparently been bundled together and re-released by Microsoft under its own NuGet license. Nothing in the MIT license restricts this practice as long as primary attribution is maintained and promulgated, however there are additional terms in the NuGet license a consumer of this component might be more concerned about than when taking the code under the pure MIT license. For example, the NuGet license specifically grants Microsoft the right to collect certain information from a package consumer's computer and or project as a condition of use.

The lesson here is that package management can impact a user's rights to open source code if used indiscriminately. Depending on the use case, it might be worth some investigation to determine if a component is available under more benign terms.

Thursday, July 6, 2017

Cloud based infrastructure (IaaS), platform as a service (PaaS), serverless computing, DevOps architecture; these are all enticing concepts to the start-up business wanting to compete instantly with more mature organizations. However new approaches to delivering almost limitless computing capacity via the myriad of cloud offerings available today require a fresh look at how to provision the software powering these new capabilities.

Traditional software as a service (SaaS) and annual licensing model vendors are struggling to adapt since their normal metrics for billing customers are changing faster than they can update their spreadsheet formulas. How do you charge by the core in an elastic cloud environment?

I suggest the answer will increasingly be an open source model. Open Source is rarely free of obligation, but it blends smoothly with the new delivery paradigms. While commercial software still has a niche in specialized applications, at least for a while longer, open source is the future. The software powered economy will continue to thrive but the underlying intellectual property is quickly becoming a commodity. Vendors are learning they need to bring value to their customers in the form of exceptional service, providing data insight, and adaption to or even anticipation of ever evolving security threats. Modern customers above all want to avoid the technical debt associated with vendor lock-in which will hamper growth. A closed source model is simply no longer flexible or responsive enough to keep pace.

A quick spin through capabilities available with the virtual swipe of a credit card from Amazon Web Services, Microsoft Azure, Digital Ocean, and Google Cloud reveals the big players are quickly transforming their business models to adapt and exploit this new landscape with a strong preference for open source.

Please consider supporting me in the 2018 Twin Cities Marathon in Minneapolis, MN. I am raising money for the UnitedHealthcare Children's Fund which awards medical grants to children across the United States. I participate in multiple charity races throughout the year to help raise money for such worthy causes. You can donate here.

Thoughtful comments are welcome but always subject to moderation by the site administrator.